[Logwatch-Devel] Re: [Logwatch-Announce] Logwatch 4.1 has been released
Sat, 19 Oct 2002 19:56:39 -0400
On Sat, Oct 19, 2002 at 12:28:01PM -0700, James Wysynski wrote:
> 2) The only ICMP messages I've seen in my logs are of
> this format, which is presumably why it's not working
> with yours. The ICMP messages are formatted the same
> as everything else is.
> Oct 18 15:13:01 tilt kernel: ICMP drop IN=eth0 OUT=
> SRC=184.108.40.206 DST=220.127.116.11 LEN=64 TOS=0x00
> PREC=0x00 TTL=51 ID=28365 PROTO=ICMP TYPE=8 CODE=0
> ID=52994 SEQ=0
type 8's ICMP_ECHO are pretty boring.
> I'm running RedHat 7.3. Do you have a Linux kernel,
> or something else?
i've seen the [bracketted] messages come out for type 11
(ICMP_TIME_EXCEEDED), type 4 (ICMP_SOURCE_QUENCH) and i think
type 3 (ICMP_DEST_UNREACH). i'm running 2.4.18. it is a
7.2 rh system with update including the 2.4.18 kernel.
> 3) Right now I parse prefix, in, out, src, dst, proto.
> For your case it looks like I need to add some logic
> which will catch prefix, in, out, proto, src, dst (and
> possibly the square brackets). It's hard to tell
> without the full log message.
your wish is my command:
Oct 13 11:35:05 internal kernel: FAILED INPUT: IN=eth0 OUT= MAC=00:a0:cc:d0:d9:8c:00:60:8c:39:ed:db:08:00 SRC=18.104.22.168 DST=192.168.1.2 LEN=56 TOS=0x00 PREC=0x00 TTL=244 ID=5926 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.1.2 DST=22.214.171.124 LEN=67 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=1024 DPT=53 LEN=47 ]
Oct 13 12:52:18 internal kernel: FAILED INPUT: IN=eth0 OUT= MAC=00:a0:cc:d0:d9:8c:00:40:96:33:53:6b:08:00 SRC=192.168.1.253 DST=192.168.1.2 LEN=576 TOS=0x00 PREC=0xC0 TTL=255 ID=47777 PROTO=ICMP TYPE=11 CODE=1 [SRC=192.168.1.2 DST=192.168.1.253 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=18362 MF PROTO=UDP SPT=2049 DPT=800 LEN=8328 ]
mark at winksmith dot com
mark at tux dot org